From: Greg Kroah-Hartman Date: Mon, 12 Aug 2024 09:50:01 +0000 (+0200) Subject: 6.10-stable patches X-Git-Tag: v6.1.105~88 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8e7372a493599c11143cb6b1f38942fe42b72961;p=thirdparty%2Fkernel%2Fstable-queue.git 6.10-stable patches added patches: media-v4l-fix-missing-tabular-column-hint-for-y14p-format.patch scsi-mpi3mr-avoid-iommu-page-faults-on-report-zones.patch scsi-ufs-core-do-not-set-link-to-off-state-while-waking-up-from-hibernation.patch scsi-ufs-core-fix-deadlock-during-rtc-update.patch scsi-ufs-core-fix-hba-last_dme_cmd_tstamp-timestamp-updating-logic.patch tick-broadcast-move-per-cpu-pointer-access-into-the-atomic-section.patch usb-gadget-core-check-for-unset-descriptor.patch usb-gadget-f_fs-restore-ffs_func_disable-functionality.patch usb-gadget-midi2-fix-the-response-for-fb-info-with-block-0xff.patch usb-gadget-u_audio-check-return-codes-from-usb_ep_enable-and-config_ep_by_speed.patch usb-gadget-u_serial-set-start_delayed-during-suspend.patch vhost-vdpa-switch-to-use-vmf_insert_pfn-in-the-fault-handler.patch --- diff --git a/queue-6.10/media-v4l-fix-missing-tabular-column-hint-for-y14p-format.patch b/queue-6.10/media-v4l-fix-missing-tabular-column-hint-for-y14p-format.patch new file mode 100644 index 00000000000..17f47c80f0f --- /dev/null +++ b/queue-6.10/media-v4l-fix-missing-tabular-column-hint-for-y14p-format.patch @@ -0,0 +1,45 @@ +From 914f8961879de6fadd166ebd75151a778481e09a Mon Sep 17 00:00:00 2001 +From: Jean-Michel Hautbois +Date: Sat, 8 Jun 2024 18:41:27 +0200 +Subject: media: v4l: Fix missing tabular column hint for Y14P format + +From: Jean-Michel Hautbois + +commit 914f8961879de6fadd166ebd75151a778481e09a upstream. + +The original patch added two columns in the flat-table of Luma-Only +Image Formats, without updating hints to latex: above it. This results +in wrong column count in the output of Sphinx's latex builder. + +Fix it. + +Reported-by: Akira Yokosawa +Closes: https://lore.kernel.org/linux-media/bdbc27ba-5098-49fb-aabf-753c81361cc7@gmail.com/ +Fixes: adb1d4655e53 ("media: v4l: Add V4L2-PIX-FMT-Y14P format") +Cc: stable@vger.kernel.org # for v6.10 +Signed-off-by: Jean-Michel Hautbois +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/userspace-api/media/v4l/pixfmt-yuv-luma.rst | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Documentation/userspace-api/media/v4l/pixfmt-yuv-luma.rst b/Documentation/userspace-api/media/v4l/pixfmt-yuv-luma.rst +index f02e6cf3516a..74df19be91f6 100644 +--- a/Documentation/userspace-api/media/v4l/pixfmt-yuv-luma.rst ++++ b/Documentation/userspace-api/media/v4l/pixfmt-yuv-luma.rst +@@ -21,9 +21,9 @@ are often referred to as greyscale formats. + + .. raw:: latex + +- \scriptsize ++ \tiny + +-.. tabularcolumns:: |p{3.6cm}|p{3.0cm}|p{1.3cm}|p{2.6cm}|p{1.3cm}|p{1.3cm}|p{1.3cm}| ++.. tabularcolumns:: |p{3.6cm}|p{2.4cm}|p{1.3cm}|p{1.3cm}|p{1.3cm}|p{1.3cm}|p{1.3cm}|p{1.3cm}|p{1.3cm}| + + .. flat-table:: Luma-Only Image Formats + :header-rows: 1 +-- +2.46.0 + diff --git a/queue-6.10/scsi-mpi3mr-avoid-iommu-page-faults-on-report-zones.patch b/queue-6.10/scsi-mpi3mr-avoid-iommu-page-faults-on-report-zones.patch new file mode 100644 index 00000000000..a903ac0d09c --- /dev/null +++ b/queue-6.10/scsi-mpi3mr-avoid-iommu-page-faults-on-report-zones.patch @@ -0,0 +1,66 @@ +From 1abc900ddda8ad2ef739fedf498d415655b6c3b8 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Fri, 19 Jul 2024 16:39:11 +0900 +Subject: scsi: mpi3mr: Avoid IOMMU page faults on REPORT ZONES + +From: Damien Le Moal + +commit 1abc900ddda8ad2ef739fedf498d415655b6c3b8 upstream. + +Some firmware versions of the 9600 series SAS HBA byte-swap the REPORT +ZONES command reply buffer from ATA-ZAC devices by directly accessing the +buffer in the host memory. This does not respect the default command DMA +direction and causes IOMMU page faults on architectures with an IOMMU +enforcing write-only mappings for DMA_FROM_DEVICE DMA direction (e.g. AMD +hosts), leading to the device capacity to be dropped to 0: + +scsi 18:0:58:0: Direct-Access-ZBC ATA WDC WSH722626AL W930 PQ: 0 ANSI: 7 +scsi 18:0:58:0: Power-on or device reset occurred +sd 18:0:58:0: Attached scsi generic sg9 type 20 +sd 18:0:58:0: [sdj] Host-managed zoned block device +mpi3mr 0000:c1:00.0: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0001 address=0xfec0c400 flags=0x0050] +mpi3mr 0000:c1:00.0: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0001 address=0xfec0c500 flags=0x0050] +sd 18:0:58:0: [sdj] REPORT ZONES start lba 0 failed +sd 18:0:58:0: [sdj] REPORT ZONES: Result: hostbyte=DID_SOFT_ERROR driverbyte=DRIVER_OK +sd 18:0:58:0: [sdj] 0 4096-byte logical blocks: (0 B/0 B) +sd 18:0:58:0: [sdj] Write Protect is off +sd 18:0:58:0: [sdj] Mode Sense: 6b 00 10 08 +sd 18:0:58:0: [sdj] Write cache: enabled, read cache: enabled, supports DPO and FUA +sd 18:0:58:0: [sdj] Attached SCSI disk + +Avoid this issue by always mapping the buffer of REPORT ZONES commands +using DMA_BIDIRECTIONAL, that is, using a read-write IOMMU mapping. + +Suggested-by: Christoph Hellwig +Fixes: 023ab2a9b4ed ("scsi: mpi3mr: Add support for queue command processing") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Link: https://lore.kernel.org/r/20240719073913.179559-2-dlemoal@kernel.org +Reviewed-by: Christoph Hellwig +Reviewed-by: Johannes Thumshirn +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/mpi3mr/mpi3mr_os.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/scsi/mpi3mr/mpi3mr_os.c ++++ b/drivers/scsi/mpi3mr/mpi3mr_os.c +@@ -3453,6 +3453,17 @@ static int mpi3mr_prepare_sg_scmd(struct + scmd->sc_data_direction); + priv->meta_sg_valid = 1; /* To unmap meta sg DMA */ + } else { ++ /* ++ * Some firmware versions byte-swap the REPORT ZONES command ++ * reply from ATA-ZAC devices by directly accessing in the host ++ * buffer. This does not respect the default command DMA ++ * direction and causes IOMMU page faults on some architectures ++ * with an IOMMU enforcing write mappings (e.g. AMD hosts). ++ * Avoid such issue by making the REPORT ZONES buffer mapping ++ * bi-directional. ++ */ ++ if (scmd->cmnd[0] == ZBC_IN && scmd->cmnd[1] == ZI_REPORT_ZONES) ++ scmd->sc_data_direction = DMA_BIDIRECTIONAL; + sg_scmd = scsi_sglist(scmd); + sges_left = scsi_dma_map(scmd); + } diff --git a/queue-6.10/scsi-ufs-core-do-not-set-link-to-off-state-while-waking-up-from-hibernation.patch b/queue-6.10/scsi-ufs-core-do-not-set-link-to-off-state-while-waking-up-from-hibernation.patch new file mode 100644 index 00000000000..efaf282d4c3 --- /dev/null +++ b/queue-6.10/scsi-ufs-core-do-not-set-link-to-off-state-while-waking-up-from-hibernation.patch @@ -0,0 +1,52 @@ +From ac6efb12ca64156f4a94e964acdb96ee7d59630d Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Thu, 18 Jul 2024 22:36:59 +0530 +Subject: scsi: ufs: core: Do not set link to OFF state while waking up from hibernation + +From: Manivannan Sadhasivam + +commit ac6efb12ca64156f4a94e964acdb96ee7d59630d upstream. + +UFS link is just put into hibern8 state during the 'freeze' process of the +hibernation. Afterwards, the system may get powered down. But that doesn't +matter during wakeup. Because during wakeup from hibernation, UFS link is +again put into hibern8 state by the restore kernel and then the control is +handed over to the to image kernel. + +So in both the places, UFS link is never turned OFF. But +ufshcd_system_restore() just assumes that the link will be in OFF state and +sets the link state accordingly. And this breaks hibernation wakeup: + +[ 2445.371335] phy phy-1d87000.phy.3: phy_power_on was called before phy_init +[ 2445.427883] ufshcd-qcom 1d84000.ufshc: Controller enable failed +[ 2445.427890] ufshcd-qcom 1d84000.ufshc: ufshcd_host_reset_and_restore: Host init failed -5 +[ 2445.427906] ufs_device_wlun 0:0:0:49488: ufshcd_wl_resume failed: -5 +[ 2445.427918] ufs_device_wlun 0:0:0:49488: PM: dpm_run_callback(): scsi_bus_restore returns -5 +[ 2445.427973] ufs_device_wlun 0:0:0:49488: PM: failed to restore async: error -5 + +So fix the issue by removing the code that sets the link to OFF state. + +Cc: Anjana Hari +Cc: stable@vger.kernel.org # 6.3 +Fixes: 88441a8d355d ("scsi: ufs: core: Add hibernation callbacks") +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20240718170659.201647-1-manivannan.sadhasivam@linaro.org +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/core/ufshcd.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -10223,9 +10223,6 @@ int ufshcd_system_restore(struct device + */ + ufshcd_readl(hba, REG_UTP_TASK_REQ_LIST_BASE_H); + +- /* Resuming from hibernate, assume that link was OFF */ +- ufshcd_set_link_off(hba); +- + return 0; + + } diff --git a/queue-6.10/scsi-ufs-core-fix-deadlock-during-rtc-update.patch b/queue-6.10/scsi-ufs-core-fix-deadlock-during-rtc-update.patch new file mode 100644 index 00000000000..925b23507c8 --- /dev/null +++ b/queue-6.10/scsi-ufs-core-fix-deadlock-during-rtc-update.patch @@ -0,0 +1,83 @@ +From 3911af778f208e5f49d43ce739332b91e26bc48e Mon Sep 17 00:00:00 2001 +From: Peter Wang +Date: Mon, 15 Jul 2024 14:38:31 +0800 +Subject: scsi: ufs: core: Fix deadlock during RTC update + +From: Peter Wang + +commit 3911af778f208e5f49d43ce739332b91e26bc48e upstream. + +There is a deadlock when runtime suspend waits for the flush of RTC work, +and the RTC work calls ufshcd_rpm_get_sync() to wait for runtime resume. + +Here is deadlock backtrace: + +kworker/0:1 D 4892.876354 10 10971 4859 0x4208060 0x8 10 0 120 670730152367 +ptr f0ffff80c2e40000 0 1 0x00000001 0x000000ff 0x000000ff 0x000000ff + __switch_to+0x1a8/0x2d4 + __schedule+0x684/0xa98 + schedule+0x48/0xc8 + schedule_timeout+0x48/0x170 + do_wait_for_common+0x108/0x1b0 + wait_for_completion+0x44/0x60 + __flush_work+0x39c/0x424 + __cancel_work_sync+0xd8/0x208 + cancel_delayed_work_sync+0x14/0x28 + __ufshcd_wl_suspend+0x19c/0x480 + ufshcd_wl_runtime_suspend+0x3c/0x1d4 + scsi_runtime_suspend+0x78/0xc8 + __rpm_callback+0x94/0x3e0 + rpm_suspend+0x2d4/0x65c + __pm_runtime_suspend+0x80/0x114 + scsi_runtime_idle+0x38/0x6c + rpm_idle+0x264/0x338 + __pm_runtime_idle+0x80/0x110 + ufshcd_rtc_work+0x128/0x1e4 + process_one_work+0x26c/0x650 + worker_thread+0x260/0x3d8 + kthread+0x110/0x134 + ret_from_fork+0x10/0x20 + +Skip updating RTC if RPM state is not RPM_ACTIVE. + +Fixes: 6bf999e0eb41 ("scsi: ufs: core: Add UFS RTC support") +Cc: stable@vger.kernel.org # 6.9.x +Signed-off-by: Peter Wang +Link: https://lore.kernel.org/r/20240715063831.29792-1-peter.wang@mediatek.com +Reviewed-by: Bean Huo +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/core/ufshcd-priv.h | 5 +++++ + drivers/ufs/core/ufshcd.c | 5 ++++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/ufs/core/ufshcd-priv.h ++++ b/drivers/ufs/core/ufshcd-priv.h +@@ -329,6 +329,11 @@ static inline int ufshcd_rpm_get_sync(st + return pm_runtime_get_sync(&hba->ufs_device_wlun->sdev_gendev); + } + ++static inline int ufshcd_rpm_get_if_active(struct ufs_hba *hba) ++{ ++ return pm_runtime_get_if_active(&hba->ufs_device_wlun->sdev_gendev); ++} ++ + static inline int ufshcd_rpm_put_sync(struct ufs_hba *hba) + { + return pm_runtime_put_sync(&hba->ufs_device_wlun->sdev_gendev); +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -8171,7 +8171,10 @@ static void ufshcd_update_rtc(struct ufs + */ + val = ts64.tv_sec - hba->dev_info.rtc_time_baseline; + +- ufshcd_rpm_get_sync(hba); ++ /* Skip update RTC if RPM state is not RPM_ACTIVE */ ++ if (ufshcd_rpm_get_if_active(hba) <= 0) ++ return; ++ + err = ufshcd_query_attr(hba, UPIU_QUERY_OPCODE_WRITE_ATTR, QUERY_ATTR_IDN_SECONDS_PASSED, + 0, 0, &val); + ufshcd_rpm_put_sync(hba); diff --git a/queue-6.10/scsi-ufs-core-fix-hba-last_dme_cmd_tstamp-timestamp-updating-logic.patch b/queue-6.10/scsi-ufs-core-fix-hba-last_dme_cmd_tstamp-timestamp-updating-logic.patch new file mode 100644 index 00000000000..9f6ba056f87 --- /dev/null +++ b/queue-6.10/scsi-ufs-core-fix-hba-last_dme_cmd_tstamp-timestamp-updating-logic.patch @@ -0,0 +1,54 @@ +From ab9fd06cb8f0db0854291833fc40c789e43a361f Mon Sep 17 00:00:00 2001 +From: Vamshi Gajjela +Date: Wed, 24 Jul 2024 19:21:26 +0530 +Subject: scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic + +From: Vamshi Gajjela + +commit ab9fd06cb8f0db0854291833fc40c789e43a361f upstream. + +The ufshcd_add_delay_before_dme_cmd() always introduces a delay of +MIN_DELAY_BEFORE_DME_CMDS_US between DME commands even when it's not +required. The delay is added when the UFS host controller supplies the +quirk UFSHCD_QUIRK_DELAY_BEFORE_DME_CMDS. + +Fix the logic to update hba->last_dme_cmd_tstamp to ensure subsequent DME +commands have the correct delay in the range of 0 to +MIN_DELAY_BEFORE_DME_CMDS_US. + +Update the timestamp at the end of the function to ensure it captures the +latest time after any necessary delay has been applied. + +Signed-off-by: Vamshi Gajjela +Link: https://lore.kernel.org/r/20240724135126.1786126-1-vamshigajjela@google.com +Fixes: cad2e03d8607 ("ufs: add support to allow non standard behaviours (quirks)") +Cc: stable@vger.kernel.org +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/core/ufshcd.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -4086,11 +4086,16 @@ static inline void ufshcd_add_delay_befo + min_sleep_time_us = + MIN_DELAY_BEFORE_DME_CMDS_US - delta; + else +- return; /* no more delay required */ ++ min_sleep_time_us = 0; /* no more delay required */ + } + +- /* allow sleep for extra 50us if needed */ +- usleep_range(min_sleep_time_us, min_sleep_time_us + 50); ++ if (min_sleep_time_us > 0) { ++ /* allow sleep for extra 50us if needed */ ++ usleep_range(min_sleep_time_us, min_sleep_time_us + 50); ++ } ++ ++ /* update the last_dme_cmd_tstamp */ ++ hba->last_dme_cmd_tstamp = ktime_get(); + } + + /** diff --git a/queue-6.10/series b/queue-6.10/series index cfe69b143ef..b8d2ff0f834 100644 --- a/queue-6.10/series +++ b/queue-6.10/series @@ -186,3 +186,15 @@ alsa-hda-hdmi-yet-more-pin-fix-for-hp-elitedesk-800-g4.patch usb-vhci-hcd-do-not-drop-references-before-new-references-are-gained.patch usb-serial-debug-do-not-echo-input-by-default.patch usb-typec-fsa4480-check-if-the-chip-is-really-there.patch +usb-gadget-core-check-for-unset-descriptor.patch +usb-gadget-midi2-fix-the-response-for-fb-info-with-block-0xff.patch +usb-gadget-u_serial-set-start_delayed-during-suspend.patch +usb-gadget-f_fs-restore-ffs_func_disable-functionality.patch +usb-gadget-u_audio-check-return-codes-from-usb_ep_enable-and-config_ep_by_speed.patch +scsi-mpi3mr-avoid-iommu-page-faults-on-report-zones.patch +scsi-ufs-core-fix-deadlock-during-rtc-update.patch +scsi-ufs-core-do-not-set-link-to-off-state-while-waking-up-from-hibernation.patch +scsi-ufs-core-fix-hba-last_dme_cmd_tstamp-timestamp-updating-logic.patch +tick-broadcast-move-per-cpu-pointer-access-into-the-atomic-section.patch +media-v4l-fix-missing-tabular-column-hint-for-y14p-format.patch +vhost-vdpa-switch-to-use-vmf_insert_pfn-in-the-fault-handler.patch diff --git a/queue-6.10/tick-broadcast-move-per-cpu-pointer-access-into-the-atomic-section.patch b/queue-6.10/tick-broadcast-move-per-cpu-pointer-access-into-the-atomic-section.patch new file mode 100644 index 00000000000..131f8ccb2a0 --- /dev/null +++ b/queue-6.10/tick-broadcast-move-per-cpu-pointer-access-into-the-atomic-section.patch @@ -0,0 +1,52 @@ +From 6881e75237a84093d0986f56223db3724619f26e Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Wed, 31 Jul 2024 12:23:51 +0200 +Subject: tick/broadcast: Move per CPU pointer access into the atomic section + +From: Thomas Gleixner + +commit 6881e75237a84093d0986f56223db3724619f26e upstream. + +The recent fix for making the take over of the broadcast timer more +reliable retrieves a per CPU pointer in preemptible context. + +This went unnoticed as compilers hoist the access into the non-preemptible +region where the pointer is actually used. But of course it's valid that +the compiler keeps it at the place where the code puts it which rightfully +triggers: + + BUG: using smp_processor_id() in preemptible [00000000] code: + caller is hotplug_cpu__broadcast_tick_pull+0x1c/0xc0 + +Move it to the actual usage site which is in a non-preemptible region. + +Fixes: f7d43dd206e7 ("tick/broadcast: Make takeover of broadcast hrtimer reliable") +Reported-by: David Wang <00107082@163.com> +Signed-off-by: Thomas Gleixner +Tested-by: Yu Liao +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/87ttg56ers.ffs@tglx +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/tick-broadcast.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/time/tick-broadcast.c ++++ b/kernel/time/tick-broadcast.c +@@ -1141,7 +1141,6 @@ void tick_broadcast_switch_to_oneshot(vo + #ifdef CONFIG_HOTPLUG_CPU + void hotplug_cpu__broadcast_tick_pull(int deadcpu) + { +- struct tick_device *td = this_cpu_ptr(&tick_cpu_device); + struct clock_event_device *bc; + unsigned long flags; + +@@ -1167,6 +1166,8 @@ void hotplug_cpu__broadcast_tick_pull(in + * device to avoid the starvation. + */ + if (tick_check_broadcast_expired()) { ++ struct tick_device *td = this_cpu_ptr(&tick_cpu_device); ++ + cpumask_clear_cpu(smp_processor_id(), tick_broadcast_force_mask); + tick_program_event(td->evtdev->next_event, 1); + } diff --git a/queue-6.10/usb-gadget-core-check-for-unset-descriptor.patch b/queue-6.10/usb-gadget-core-check-for-unset-descriptor.patch new file mode 100644 index 00000000000..e3d44379d52 --- /dev/null +++ b/queue-6.10/usb-gadget-core-check-for-unset-descriptor.patch @@ -0,0 +1,47 @@ +From 973a57891608a98e894db2887f278777f564de18 Mon Sep 17 00:00:00 2001 +From: Chris Wulff +Date: Wed, 24 Jul 2024 21:04:20 -0400 +Subject: usb: gadget: core: Check for unset descriptor + +From: Chris Wulff + +commit 973a57891608a98e894db2887f278777f564de18 upstream. + +Make sure the descriptor has been set before looking at maxpacket. +This fixes a null pointer panic in this case. + +This may happen if the gadget doesn't properly set up the endpoint +for the current speed, or the gadget descriptors are malformed and +the descriptor for the speed/endpoint are not found. + +No current gadget driver is known to have this problem, but this +may cause a hard-to-find bug during development of new gadgets. + +Fixes: 54f83b8c8ea9 ("USB: gadget: Reject endpoints with 0 maxpacket value") +Cc: stable@vger.kernel.org +Signed-off-by: Chris Wulff +Link: https://lore.kernel.org/r/20240725010419.314430-2-crwulff@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/core.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/usb/gadget/udc/core.c ++++ b/drivers/usb/gadget/udc/core.c +@@ -118,12 +118,10 @@ int usb_ep_enable(struct usb_ep *ep) + goto out; + + /* UDC drivers can't handle endpoints with maxpacket size 0 */ +- if (usb_endpoint_maxp(ep->desc) == 0) { +- /* +- * We should log an error message here, but we can't call +- * dev_err() because there's no way to find the gadget +- * given only ep. +- */ ++ if (!ep->desc || usb_endpoint_maxp(ep->desc) == 0) { ++ WARN_ONCE(1, "%s: ep%d (%s) has %s\n", __func__, ep->address, ep->name, ++ (!ep->desc) ? "NULL descriptor" : "maxpacket 0"); ++ + ret = -EINVAL; + goto out; + } diff --git a/queue-6.10/usb-gadget-f_fs-restore-ffs_func_disable-functionality.patch b/queue-6.10/usb-gadget-f_fs-restore-ffs_func_disable-functionality.patch new file mode 100644 index 00000000000..ca9625f4d3d --- /dev/null +++ b/queue-6.10/usb-gadget-f_fs-restore-ffs_func_disable-functionality.patch @@ -0,0 +1,48 @@ +From 382b6eabb0316b7334d97afbdcf33a4e20b0ecd8 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Fri, 2 Aug 2024 14:04:27 +0000 +Subject: usb: gadget: f_fs: restore ffs_func_disable() functionality + +From: Tudor Ambarus + +commit 382b6eabb0316b7334d97afbdcf33a4e20b0ecd8 upstream. + +The blamed commit made ffs_func_disable() always return -EINVAL as the +method calls ffs_func_set_alt() with the ``alt`` argument being +``(unsigned)-1``, which is always greater than MAX_ALT_SETTINGS. +Use the MAX_ALT_SETTINGS check just in the f->set_alt() code path, +f->disable() doesn't care about the ``alt`` parameter. + +Make a surgical fix, but really the f->disable() code shall be pulled +out from ffs_func_set_alt(), the code will become clearer. A patch will +follow. + +Note that ffs_func_disable() always returning -EINVAL made pixel6 crash +on USB disconnect. + +Fixes: 2f550553e23c ("usb: gadget: f_fs: Add the missing get_alt callback") +Cc: stable +Reported-by: William McVicker +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20240802140428.2000312-2-tudor.ambarus@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_fs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -3731,10 +3731,10 @@ static int ffs_func_set_alt(struct usb_f + struct ffs_data *ffs = func->ffs; + int ret = 0, intf; + +- if (alt > MAX_ALT_SETTINGS) +- return -EINVAL; +- + if (alt != (unsigned)-1) { ++ if (alt > MAX_ALT_SETTINGS) ++ return -EINVAL; ++ + intf = ffs_func_revmap_intf(func, interface); + if (intf < 0) + return intf; diff --git a/queue-6.10/usb-gadget-midi2-fix-the-response-for-fb-info-with-block-0xff.patch b/queue-6.10/usb-gadget-midi2-fix-the-response-for-fb-info-with-block-0xff.patch new file mode 100644 index 00000000000..c15057380f2 --- /dev/null +++ b/queue-6.10/usb-gadget-midi2-fix-the-response-for-fb-info-with-block-0xff.patch @@ -0,0 +1,54 @@ +From 228a953e61d6d608a3facc1c3a27b9fb03c99de7 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 17 Jul 2024 11:50:53 +0200 +Subject: usb: gadget: midi2: Fix the response for FB info with block 0xff + +From: Takashi Iwai + +commit 228a953e61d6d608a3facc1c3a27b9fb03c99de7 upstream. + +When the block number 0xff is given to Function Block Discovery +message, the device should return the information of all Function +Blocks, but currently the gadget driver treats it as an error. + +Implement the proper behavior for the block 0xff instead. + +Fixes: 8b645922b223 ("usb: gadget: Add support for USB MIDI 2.0 function driver") +Cc: stable@vger.kernel.org +Signed-off-by: Takashi Iwai +Link: https://lore.kernel.org/r/20240717095102.10493-1-tiwai@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_midi2.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +--- a/drivers/usb/gadget/function/f_midi2.c ++++ b/drivers/usb/gadget/function/f_midi2.c +@@ -642,12 +642,21 @@ static void process_ump_stream_msg(struc + if (format) + return; // invalid + blk = (*data >> 8) & 0xff; +- if (blk >= ep->num_blks) +- return; +- if (*data & UMP_STREAM_MSG_REQUEST_FB_INFO) +- reply_ump_stream_fb_info(ep, blk); +- if (*data & UMP_STREAM_MSG_REQUEST_FB_NAME) +- reply_ump_stream_fb_name(ep, blk); ++ if (blk == 0xff) { ++ /* inquiry for all blocks */ ++ for (blk = 0; blk < ep->num_blks; blk++) { ++ if (*data & UMP_STREAM_MSG_REQUEST_FB_INFO) ++ reply_ump_stream_fb_info(ep, blk); ++ if (*data & UMP_STREAM_MSG_REQUEST_FB_NAME) ++ reply_ump_stream_fb_name(ep, blk); ++ } ++ } else if (blk < ep->num_blks) { ++ /* only the specified block */ ++ if (*data & UMP_STREAM_MSG_REQUEST_FB_INFO) ++ reply_ump_stream_fb_info(ep, blk); ++ if (*data & UMP_STREAM_MSG_REQUEST_FB_NAME) ++ reply_ump_stream_fb_name(ep, blk); ++ } + return; + } + } diff --git a/queue-6.10/usb-gadget-u_audio-check-return-codes-from-usb_ep_enable-and-config_ep_by_speed.patch b/queue-6.10/usb-gadget-u_audio-check-return-codes-from-usb_ep_enable-and-config_ep_by_speed.patch new file mode 100644 index 00000000000..e1854db362d --- /dev/null +++ b/queue-6.10/usb-gadget-u_audio-check-return-codes-from-usb_ep_enable-and-config_ep_by_speed.patch @@ -0,0 +1,107 @@ +From 76a7bfc445b8e9893c091e24ccfd4f51dfdc0a70 Mon Sep 17 00:00:00 2001 +From: Chris Wulff +Date: Sun, 21 Jul 2024 15:23:15 -0400 +Subject: usb: gadget: u_audio: Check return codes from usb_ep_enable and config_ep_by_speed. + +From: Chris Wulff + +commit 76a7bfc445b8e9893c091e24ccfd4f51dfdc0a70 upstream. + +These functions can fail if descriptors are malformed, or missing, +for the selected USB speed. + +Fixes: eb9fecb9e69b ("usb: gadget: f_uac2: split out audio core") +Fixes: 24f779dac8f3 ("usb: gadget: f_uac2/u_audio: add feedback endpoint support") +Cc: stable@vger.kernel.org +Signed-off-by: Chris Wulff +Link: https://lore.kernel.org/r/20240721192314.3532697-2-crwulff@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/u_audio.c | 42 +++++++++++++++++++++++++++------- + 1 file changed, 34 insertions(+), 8 deletions(-) + +--- a/drivers/usb/gadget/function/u_audio.c ++++ b/drivers/usb/gadget/function/u_audio.c +@@ -592,16 +592,25 @@ int u_audio_start_capture(struct g_audio + struct usb_ep *ep, *ep_fback; + struct uac_rtd_params *prm; + struct uac_params *params = &audio_dev->params; +- int req_len, i; ++ int req_len, i, ret; + + prm = &uac->c_prm; + dev_dbg(dev, "start capture with rate %d\n", prm->srate); + ep = audio_dev->out_ep; +- config_ep_by_speed(gadget, &audio_dev->func, ep); ++ ret = config_ep_by_speed(gadget, &audio_dev->func, ep); ++ if (ret < 0) { ++ dev_err(dev, "config_ep_by_speed for out_ep failed (%d)\n", ret); ++ return ret; ++ } ++ + req_len = ep->maxpacket; + + prm->ep_enabled = true; +- usb_ep_enable(ep); ++ ret = usb_ep_enable(ep); ++ if (ret < 0) { ++ dev_err(dev, "usb_ep_enable failed for out_ep (%d)\n", ret); ++ return ret; ++ } + + for (i = 0; i < params->req_number; i++) { + if (!prm->reqs[i]) { +@@ -629,9 +638,18 @@ int u_audio_start_capture(struct g_audio + return 0; + + /* Setup feedback endpoint */ +- config_ep_by_speed(gadget, &audio_dev->func, ep_fback); ++ ret = config_ep_by_speed(gadget, &audio_dev->func, ep_fback); ++ if (ret < 0) { ++ dev_err(dev, "config_ep_by_speed in_ep_fback failed (%d)\n", ret); ++ return ret; // TODO: Clean up out_ep ++ } ++ + prm->fb_ep_enabled = true; +- usb_ep_enable(ep_fback); ++ ret = usb_ep_enable(ep_fback); ++ if (ret < 0) { ++ dev_err(dev, "usb_ep_enable failed for in_ep_fback (%d)\n", ret); ++ return ret; // TODO: Clean up out_ep ++ } + req_len = ep_fback->maxpacket; + + req_fback = usb_ep_alloc_request(ep_fback, GFP_ATOMIC); +@@ -687,13 +705,17 @@ int u_audio_start_playback(struct g_audi + struct uac_params *params = &audio_dev->params; + unsigned int factor; + const struct usb_endpoint_descriptor *ep_desc; +- int req_len, i; ++ int req_len, i, ret; + unsigned int p_pktsize; + + prm = &uac->p_prm; + dev_dbg(dev, "start playback with rate %d\n", prm->srate); + ep = audio_dev->in_ep; +- config_ep_by_speed(gadget, &audio_dev->func, ep); ++ ret = config_ep_by_speed(gadget, &audio_dev->func, ep); ++ if (ret < 0) { ++ dev_err(dev, "config_ep_by_speed for in_ep failed (%d)\n", ret); ++ return ret; ++ } + + ep_desc = ep->desc; + /* +@@ -720,7 +742,11 @@ int u_audio_start_playback(struct g_audi + uac->p_residue_mil = 0; + + prm->ep_enabled = true; +- usb_ep_enable(ep); ++ ret = usb_ep_enable(ep); ++ if (ret < 0) { ++ dev_err(dev, "usb_ep_enable failed for in_ep (%d)\n", ret); ++ return ret; ++ } + + for (i = 0; i < params->req_number; i++) { + if (!prm->reqs[i]) { diff --git a/queue-6.10/usb-gadget-u_serial-set-start_delayed-during-suspend.patch b/queue-6.10/usb-gadget-u_serial-set-start_delayed-during-suspend.patch new file mode 100644 index 00000000000..94cbf360aac --- /dev/null +++ b/queue-6.10/usb-gadget-u_serial-set-start_delayed-during-suspend.patch @@ -0,0 +1,36 @@ +From 5a444bea37e2759549ef72bfe83d1c8712e76b3d Mon Sep 17 00:00:00 2001 +From: Prashanth K +Date: Tue, 30 Jul 2024 18:27:54 +0530 +Subject: usb: gadget: u_serial: Set start_delayed during suspend + +From: Prashanth K + +commit 5a444bea37e2759549ef72bfe83d1c8712e76b3d upstream. + +Upstream commit aba3a8d01d62 ("usb: gadget: u_serial: add suspend +resume callbacks") added started_delayed flag, so that new ports +which are opened after USB suspend can start IO while resuming. +But if the port was already opened, and gadget suspend kicks in +afterwards, start_delayed will never be set. This causes resume +to bail out before calling gs_start_io(). Fix this by setting +start_delayed during suspend. + +Fixes: aba3a8d01d62 ("usb: gadget: u_serial: add suspend resume callbacks") +Cc: stable@vger.kernel.org +Signed-off-by: Prashanth K +Link: https://lore.kernel.org/r/20240730125754.576326-1-quic_prashk@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/u_serial.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/gadget/function/u_serial.c ++++ b/drivers/usb/gadget/function/u_serial.c +@@ -1441,6 +1441,7 @@ void gserial_suspend(struct gserial *gse + spin_lock(&port->port_lock); + spin_unlock(&serial_port_lock); + port->suspended = true; ++ port->start_delayed = true; + spin_unlock_irqrestore(&port->port_lock, flags); + } + EXPORT_SYMBOL_GPL(gserial_suspend); diff --git a/queue-6.10/vhost-vdpa-switch-to-use-vmf_insert_pfn-in-the-fault-handler.patch b/queue-6.10/vhost-vdpa-switch-to-use-vmf_insert_pfn-in-the-fault-handler.patch new file mode 100644 index 00000000000..ab58afa0118 --- /dev/null +++ b/queue-6.10/vhost-vdpa-switch-to-use-vmf_insert_pfn-in-the-fault-handler.patch @@ -0,0 +1,45 @@ +From 0823dc64586ba5ea13a7d200a5d33e4c5fa45950 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Mon, 1 Jul 2024 11:31:59 +0800 +Subject: vhost-vdpa: switch to use vmf_insert_pfn() in the fault handler + +From: Jason Wang + +commit 0823dc64586ba5ea13a7d200a5d33e4c5fa45950 upstream. + +remap_pfn_page() should not be called in the fault handler as it may +change the vma->flags which may trigger lockdep warning since the vma +write lock is not held. Actually there's no need to modify the +vma->flags as it has been set in the mmap(). So this patch switches to +use vmf_insert_pfn() instead. + +Reported-by: Dragos Tatulea +Tested-by: Dragos Tatulea +Fixes: ddd89d0a059d ("vhost_vdpa: support doorbell mapping via mmap") +Cc: stable@vger.kernel.org +Signed-off-by: Jason Wang +Message-Id: <20240701033159.18133-1-jasowang@redhat.com> +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Michal Kubiak +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vdpa.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +--- a/drivers/vhost/vdpa.c ++++ b/drivers/vhost/vdpa.c +@@ -1483,13 +1483,7 @@ static vm_fault_t vhost_vdpa_fault(struc + + notify = ops->get_vq_notification(vdpa, index); + +- vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); +- if (remap_pfn_range(vma, vmf->address & PAGE_MASK, +- PFN_DOWN(notify.addr), PAGE_SIZE, +- vma->vm_page_prot)) +- return VM_FAULT_SIGBUS; +- +- return VM_FAULT_NOPAGE; ++ return vmf_insert_pfn(vma, vmf->address & PAGE_MASK, PFN_DOWN(notify.addr)); + } + + static const struct vm_operations_struct vhost_vdpa_vm_ops = {